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ABSTRACT 

The Sarbanes-Oxley Act (SOX) revolutionized the accounting and audit industry. The use of 
preventative and process controls to evaluate the continuous audit process done via an SAP ERP 
ECC 6.0 system is key to compliance with SOX and managing costs. This paper can be used in a 
variety of ways to discuss issues associated with auditing and testing of internal controls. A case 
study is provided to effectively teach SAP system controls in undergraduate/graduate courses in 
auditing and information systems. 
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PRIOR RESEARCH AND BACKGROUND INFORMATION 



his paper identifies the importance of internal controls in the field of auditing and the need to properly 
educate users of SAP systems. SAP is the leading pioneer in enterprise systems and is currently used 
in most Fortune 500 firms. More specifically, the uses of SAP internal controls are examined in 
mitigating the risk in a SAP Enterprise Resource Planning (ERP) system. A case-study is provided to analyze 
internal controls in a classroom setting to better prepare future system auditors for their professional careers. This 
case-study was developed and tested at Saint Joseph’s University in Philadelphia, Pennsylvania. It is utilized in 
several of the financial core and auditing courses offered by the University within their accounting curriculum. 
Evaluation of controls shows how embedded preventative and process controls can enable the continuous audit 
process to prevent risk, reduce costs, and make the audit process more efficient. Classroom educating in this field 
demonstrates the minimum technical skills required for accountants to be productive in this evolving discipline. 


The Sarbanes-Oxley Act (SOX), created in July of 2002, drove public companies to seek more accurate 
auditing information, internal controls, and disclosure, as well as cost savings. Research shows financial executives 
reported estimated cost increases in audit and external consulting fees, people-hours, and other vendor expenses. 
Prior to SOX, “the accounting profession failed to address the underlying issues regarding fraud, abuse and conflict 
of interest. Now the requirements of full disclosure, accuracy and transparency should lead to a more fair market for 
investors” (Sarbanes-Oxley: An Overview of Current Issues and Concerns, 2007). By 2005, companies that 
complied with SOX experienced better internal controls than those that did not. The embedded preventative and 
process controls streamline the continuous audit process, which reduces costs, while increasing the accuracy and 
depth of reporting by public companies on their end-of-year financial statements (Sarbanes-Oxley: An Overview of 
Current Issues and Concerns, 2007). 


All controls in a system are governed by COBIT or the Control Objectives for Information and Related 
Technology. COBIT is a framework for developing, implementing, monitoring and improving information 
technology (IT) governance and management practices. COBIT framework is published by the IT Governance 
Institute and the Information Systems Audit and Control Association (ISACA). The goal of the framework is to 
provide a common language for business executives to communicate with each other about goals, objectives and 
results (Rouse, 2013). All consulting firms and companies set up their systems using the COBIT framework. 
Understanding this framework is a very valuable skill for students to learn as they enter the workforce. This 
framework also enables a system to audit itself. If the controls are working effectively and efficiently, the system 


Copyright by author(s); CC-BY 


349 


The Clute Institute 



American Journal Of Business Education - Fourth Quarter 2014 _ Volume 7, Number 4 

will either prevent errors from happening (preventative controls) or detect them while they are happening, so as to 
report the dysfunction and alert auditors (detective and output controls). 

According to a 2006 PricewaterhouseCoopers study, companies use continuous auditing to “shorten audit 
cycle times and provide more timely risk and controls assurance” (PwC, 2006). In the same survey, 
PricewaterhouseCoopers found that 81% of 392 companies use continuous auditing or planned to do so (PwC, 
2006). In general, continuous auditing process aims to reduce overall costs and distribute the work throughout the 
entire year. Simultaneously, continuous auditing, in conjunction with systems like SAP, can improve the accuracy 
and reliability of financial statements, while also reducing the time period to produce them. The controls present in 
SAP help the audit process by limiting the amount of errors and providing detailed reports on any error that may 
occur. 


To meet the demands of public companies and accounting firms, business schools across the country have 
implemented SAP into the curriculum with varying degrees of success. Most schools implemented SAP on a limited 
course-by-course basis. Students also view SAP as an important way to gain real world applications that can be 
marketed to prospective employers (Rosemann and Maurizio, 2005). However, students experience difficulty with 
the complexity and scope of SAP. Most student issues are system-based rather than course-based (Rosemann and 
Maurizio, 2005). These issues revolve around controls pre-configured by the system administrators. 

Teaching ERP systems cannot only improve the learning of business processes, it has also become a 
necessary tool for students in the new technological age. Bloom, Luchs, and Myring (2009) explain that internal 
auditors must now have strong technical skills in order to address enterprise-wide risk and governance issues 
through implementing technology and understanding the risks of that audit technology. CEOs confirmed this in a 
survey conducted by PwC in 2011: “Participants rated the more technical skills of knowledge within risk 
management approaches and specific technology expertise as the most important skills needed over the next three 
years (PwC, 2011)”. Therefore, to match the demand for increasing knowledge and familiarity of ERP systems, it is 
necessary to implement them into university business curricula. The best documented way to teach these technical 
skills is through applying hands-on applications within the systems. Finally, since an understanding of internal 
controls are essential for continuous auditing to be effective, it is imperative to incorporate tutorials on these 
controls as a segment in teaching audit and audit-related courses. 

MOTIVATION AND METHODOLOGY 

The authors’ real world application scenario is based on a case developed by SAP. Students utilize SAP 
controls to perform internal audits. With these audits, students are likely to find a number of control errors. They 
create reports stating their findings recommending possible solutions to overcome the gaps they encounter. Saint 
Joseph’s University is a member of the SAP University Alliance and has access to live SAP clients fully configured 
with the Global Bike Incorporated case. 

THE STARTRACKER CASE 

Company Information 

Global Bike Incorporated (GBI) is a fictional company that was created through the SAP University 
Alliance Program to enhance SAP classroom education (Magal and Word, 2012). 

GBI is a world class bicycle company serving the professional and “prosumer” cyclists for touring and off¬ 
road racing. GBI’s riders demand the highest level of quality, toughness, and performance from their bikes and 
accessories. 

GBI was founded in 2001 following the merger of two bicycle manufacturers - one based in the US and the 
other in Germany. GBI has three lines of business - deluxe and professional touring bikes, men’s and women’s off¬ 
road bikes, and bike accessories. GBI sells its bikes to a network of specialized dealers throughout the world and 
procures its raw materials from a variety of suppliers globally. Due to tax and export issues, GBI’s headquarters is 
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located in Dallas, Texas, and is registered under U.S. GAAP and the SEC as a public company. GBI has a subsidiary 
- GBI Europe - which is located in Fussen, Germany, and uses IFRS accounting standards and German tax 
regulations (Magal and Word). 

In 2009, GBI adopted SAP Enterprise Resource Planning (ERP) software to integrate all of the aspects of 
the business. Prior to this, all functions of the business used independent application systems. The transition to SAP 
was beneficial to GBI because it centralized all the company’s divisions and reduced costs globally. 

With the new ERP system, many of the internal controls are automated within the system. Senior 
Management has enough experience over the years that he is able to navigate and do some basic analysis of the ERP 
system. However, he will most likely need to enlist the help of an ERP consultant to help him sort out where to look 
for all the relevant controls. 

The following conversation occurred at GBI’s Headquarters among Joseph Magar (CFO), Christopher 
Puccini (VP of Internal Audit) and Brandon Rosini (Independent Auditor): 

Joseph Magar: Complaints have been increasing with our employees using SAP. It is not as “ automated” as I 
would like it to be. I wish that the system could reduce the amount of people-hours required to produce our financial 
statements in compliance with SOX. 

Christopher Puccini: I agree. The system does a good job of eliminating paper and retaining files, but I’m not so 
sure it was entirely necessary. We spent a lot of money implementing the system and training our personnel. 

Brandon Rosini: I think you both underestimate how effective the SAP system has been here. It automates many 
controls that are not all obvious to the user. 

Magar: All I know is that it creates a lot of implementation issues. We made a huge investment in the system and 
need to justify the costs to our shareholders with tangible results. Could we be not seeing it as the glass is half-full? 

Rosini: Not at all. The system has worked perfectly. It has five separate controls that have increased the timeliness 
and reliability of your financial data. 

Puccini: If these controls are working so well, why don't we know about them? 

Rosini: You do know about them, you just don’t realize it. To create a system that is both reliable and secure, SAP 
must have valid input controls embedded in the master files and in the process. These input controls control the 
accuracy, completeness, and validity of the data entered. To implement these controls, all source documents are 
pre-numbered and maintained within the SAP ERP system. That way, it is easier to verify if documents are missing. 

Puccini: Of all people, you know that we had a senior employee falsify documents to hit expectations. We adopted 
SAP to strengthen our controls. How do we know they are working effectively? What happens if someone puts in the 
wrong information, either intentionally or accidentally? 

Rosini: This system has fixed that issue. Your control risk is much lower this year than in any previous year. You’re 
receiving complaints because certain boxes can only contain certain information. Your employees are noticing the 
input controls which prevent them from inputting incorrect information. The system creates parameters based on 
everything within the system. If these parameters are broken, an error message will occur. For example, if GBI 
enters in the wrong plant to distribute bike accessories, the system will automatically show an error message that 
the plant cannot ship the goods. Unless the correct plant is selected, no distribution will occur. 

Magar: That seems great, but my main concern is selling bicycles. If we ’re not moving product, we won't be in 
business very long and the whole SAP system will be irrelevant. How do we know if the purchase or sales cycle is 
complete? 
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Rosini: SAP provides real-time reports about the sales cycle. You can easily check to see the movement of goods 
from a quote to payment from a customer. In the Sales Process, if the Sales Order Number is 3, the Transfer Order, 
Picking Request, Post Goods Issue, and Invoice will all match up with the Sales Order Document in the Sales Order 
History Tab. There is a Document Flow that shows all related documents involved in any part of the process. You 
can look at the results of these through financial statement analysis, SAP HANA, or the balance score card. Each of 
those will be populated with up-to-the-minute information based on the inputs of all employees. 

Puccini: That’s incredible. So you ’re saying that an SAP ERP system automatically sends the financial, material, 
stock updates, and the updated general ledger documents within the SAP system and they are stored for reference? 
That will make the internal and external auditing process much easier. 

Rosini: Yes, and you can view them at any time, day or night, with a few clicks. 

Magar: That’s all great. It might help senior management make better decisions, but how are we going to justify 
this cost to the shareholders? They only care about the bottom line. Are there any other controls in SAP that help us 
reduce costs and save time? 

Rosini: Yes, many controls have reduced costs and save time. We have noticed a 25% savings in audit costs through 
implementation of the SAP ERP system. In addition, role and user approval processes have been cut by a full 
business week. 

Magar: Impressive, but what controls would those be? 

Rosini: One example is an availability check. If GBI is trying to sell materials, the system will automatically check 
to see if GBI has enough materials to sell. If not, that obviously means GBI needs to produce or buy more materials 
to sell. In essence, the transaction cannot be completed unless GBI has the materials required to do so. 

Magar. So it helps us manage our inventory better which reduces back-orders. How do we know when materials are 
actually in our warehouses and plants? 

Rosini: This is checked automatically through data matching in which data must be matched and confirmed before 
an action can proceed (Romney and Steinbart). In the purchasing process, we record the goods received with credit 
to a GR/IR account. The goods are then included in our warehouse. A material document will also exist to move the 
material from loading dock in the warehouse to a specific storage location. When we pay off the vendor, the GR/IR 
account is debited. The account should have a zero balance afterwards. A non-zero balance indicates we haven’t 
paid. 

Puccini: 1 guess we were taking advantage of many features without knowing it. Maybe SAP was worth the cost 
after all. 

Magar: I agree this is a great sales pitch and we heard this before we decided to implement SAP, but do the controls 
really work? Or is just something sounds great, but doesn't work as advertised? 

STARTRACKER: HOW TO USE THIS CASE 

Prior to the use of this case, it is important that students be provided with an understanding of business 
processes and specifically, the sales order process. The hands-on experience of doing a sales order to cash 
application within SAP is particularly valuable. 

Global Bike Incorporated is a company that specializes in manufacturing and selling racing and off-road 
bikes. The order-to-cash process in SAP usually follows the steps as shown below: 

1. A customer calls or emails a sales representative to place a sales inquiry. If the customer is new, the sales 

representative must create a master file for the customer. 
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2. After the inquiry is created and the customer receives the quoted price, the customer will then place an 
order with a sales representative authorizing the creation of a sales order. 

3. After the sales order is created, the next step is for the goods to be picked by a warehouse employee to fill 
the order. 

4. The goods are then transferred out for delivery by the shipping personnel. 

5. The customer receives the goods and is invoiced by the billing department. 

6. The customer makes payment after receiving the goods and the invoice, and the accounts receivable clerk 
clears the customer’s account. 

After students have knowledge of the company and its sales process, an overview of the various types of 
application controls and how they work is particularly important. Application controls are input controls, processing 
controls, and output controls. Input controls are intended to prevent, detect, or correct errors during data input; thus, 
they should help ensure the accuracy and completeness of any data that are input. Processing controls are intended to 
ensure accurate and complete processing. Output controls are intended to ensure that output is properly distributed 
and disposed of and that it is accurate and complete. 

This case has been utilized in accounting information systems and auditing courses with great success. In 
conducting a test of transactions, students become familiar with how the process works and can answer essential 
questions, such as what systems-based audit controls should exist prior to conducting an audit. Using the appendices 
noted in this paper, students are able to experience how a well-designed accounting application system provides 
master files that direct information into a major business process. If these field controls are in place, the system will 
not only work effectively, but identify common process errors that need to be rectified. 

Feedback from students indicates a high level of satisfaction and that they get exposure to a real-life system 
and hands on learning. 
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APPENDIX 

Appendix A: Input Controls From Accounting Information Systems 


Process Stage 

Threat/Risk 

SAP Controls 

• Source Data and Prep 

• Source Data Collection and Entry 

• Accuracy, Completeness, and 
Authenticity Checks 

Data that is: 

• Invalid 

• Unauthorized 

• Incomplete 

• Inaccurate 

• Form Design 

• Storage of Documents 

• Authorization and Segregation of Duties 
Control 

• Data Entry Controls 


Examples Of Input Controls 

1. Validity Check: Examines a field to ensure that the data entry in the field is valid compared with a pre¬ 

existing list of acceptable values. 

• In the illustration below, a customer is selected that is not assigned to be sold in the sales area 

designated for the sale of deluxe bicycles. This hard-code error will prevent a sale until a valid 
customer is chosen. 
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2. Field Control: Required to determine availability of product for sales and shipment 

• Below, the availability check box has not been filled. The system will not allow the user to create 

the master file until the field is occupied with the correct designation. 


Sales: sales org. 2 

Sales: General/Plant 

Foreign trade export Sales text 





Material EPAD1096 


Elbow Pads 

H 

Plant DL96 


Plant Dallas 96 



General data 



Base Unit of Measure 

EA 

each 

Replacement part 



Gross Weight 

32 

oz 

Qual.f.FreeGoodsDis. 



Net Weight 

32 


Material freight grp 



Availability check 

rb 

l! j 


0Appr.batch rec. req. 



□ Batch management 






Shipping data (times in days) 

Trans. Grp 0001 On pallets LoadingGrp B 

Setup time Proc. time Base qty EA 


Packaging material data 
Matl Grp Pack.Matls 

General plant parameters 

□ Neg.stocks Profit Center SerialNoProfile ' DistProf 

SerializLevel 

Ext. customer repl. parameters 


Q Fill in all required entry fields 
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3. Availability Checks, Limit Checks, and Reasonable Checks: Below are examples of each of the following 
field controls: 


• Availability Check : Checks inventory availability for delivery on date requested 

• Limit Check : Checks to see whether shipment is possible given truck capacity 

• Reasonableness Check : On this date, does the selling price exceed the cost of the product? If not, 
an error log will appear. 
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Appendix B: Process Controls From Accounting Information Systems 


Process Stage 

Threat/Risk 

SAP Controls 

• Processing Integrity and 

Validity 

• Errors in output and stored 
data 

• Data Matching 

• File Labels 

• Database Processing Integrity Controls 


Examples of Processing Controls 

1. Document Flow 


• Tracks the sales order throughout the sales process. In the example below, the sales process is 
complete via a payment from the customer. 


Document Flow 

a h Status overview Display document Service documents QS 


Business partner 0000001096 Rocky Mountain Bikes 
Material DXTR3096 Deluxe Touring Bike (red) 


I 


sail [a .] 

Document 

Quantity Unit Ref. value Currency On Status 

’ □ => Standard Order 0000000094 / 10 

10 EA 32,000.00 USD 11/11/2013 Completed 

- 0 Outbound Delivery 0080000092 / 10 

10 EA 11/11/2013 Completed 

• 0 Picking request 20131111 / 10 

• 0 GD goods issue:delvy 4900000437 / 1 
" 0 Invoice 0090000090 / 10 

10 EA 11/11/2013 Completed 

10 EA 14,000.00 USD 11/11/2013 complete 

10 EA 32,000.00 USD 11/11/2013 Completed 

• 0 Accounting document 0090000000 

10 EA 11/11/2013 Cleared 
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Appendix C: Output Controls From Accounting Information Systems 


Process Stage 

Threat/Risk 

SAP Controls 

• Output Review, Reconciliation 
and Error Handling 

• Use of inaccurate or 
incomplete reports 

• Reviews and Reconciliations 

• Encryption and Access Controls 

• Parity Checks 

• Message Acknowledgement Techniques 


Examples of Output Controls 

1. Revenue Verification 

• Verify if revenue was posted correctly 



Data Entry View 
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Document Date 
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110000 Trade Receivables 32,000.00 USD 
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000002 

50 

600000 Sales Revenue 32,000.00- USD 



Copyright by author(s); CC-BY 


359 


The Clute Institute 












































American Journal Of Business Education - Fourth Quarter 2014 


Volume 7, Number 4 


2. Cost of Goods Sold Verification 

• Verify if Cost of Goods sold was posted correctly 

A* . Display Document: General Ledger View 
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3. Status Control Verification 

• Review status of the Sales Order 
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